Tanatos also known as Bugbear is a worm that drops a backdoor/keystroke logger trojan that can allow a cracker access to many parts of the infected computer. The worm has the ability to infect a computer from the preview pane of an unpatched system. It may also send email stored on an infected system to a random email address. It also had the habit of sending information to networked printers that caused them to print nonsense.

Contents

Tanatos can arrive on a system through email or a network. It uses a few complex methods to avoid being automatically identified as a worm when it arrives in an email attachment. The worm is even more bizarre with regard to its network transmission.

Tanatos arrives onto a system in an email message that is either a reply to or forward of an existing message, and it also may arrive as a new email message with one of the following subject lines:

Greets!

Get 8 FREE issues - no risk!

Hi!

Your News Alert

$150 FREE Bonus!

Re:, Your Gift

New bonus in your cash account

Tools For Your Online Business

Daily Email Reminder

News, free shipping!

its easy

Warning!

SCAM alert!!!

Sponsors needed

new reading

CALL FOR INFORMATION!

25 merchants and rising

Cows

My eBay ads

empty account

Market Update Report

click on this!

fantastic

wow!

bad news

Lost & Found

New Contests

Today Only

Get a FREE gift!

Membership Confirmation

Report

Please Help...

Stats

I need help about script!!!

Interesting...

Introduction

various

Announcement

history screen

Correction of errors

Just a reminder

Payment notices

hmm..

update

Hello!

The subject line may be constructed from a randomly selected file on the hard disk of the infected computer. The attachment name could be from a file on the computer that the worm was sent from or it could have one of the following names:

Readme

Setup

Card

Docs

News

Image

Images

Pics

Resume

Photo

Video

Music

Song

Data

Their extensions are .exe, .scr or .pif. The file name may also be taken from a file on the previously infected computer sending the worm, in which case, it will have a double extension, such as Document.txt.scr. These files can include:

.reg

.ini

.bat

.diz

.txt

.cpp

.html

.htm

.jpeg

.jpg

.gif

.cpl

.dll

.vxd

.sys

.com

.exe

.bmp

A system running Internet Explorer 5.0 or 5.5, the attachment may be run automatically from the preview pane in Outlook or Outlook Express if Explorer is unpatched.

Tanatos can spread over networks through shared folders. One of its threads continually scans for any shared network resources. It attempts to copy itself as a random file name to that resource. The worm does not discriminate between types of resources, including printers. This can cause an accumulation of print jobs and paper with unintelligable gibberish.

When Tanatos runs, it copies itself to the Windows System folder as a random string of four letters with a .exe file extension. It also copies itself to the startup folder as Cuu.exe on a Windows 95, 98 or ME system or Cti.exe on a Windows 2000, XP or NT system.

It creates five encrypted files, two encrypted .dat files in the Windows folder (Okkqsa.dat and Ussiwa.dat) and three encrypted .dll files in the Windows System folder (Iccyoa.dll, Lgguqaa.dll, Roomuaa.dll). One of the files contains a password required to establish connection with the backdoor component. Another, detected as the Hooker trojan, monitors keystrokes, which are then sent back to any cracker who can usethe backdoor to access the computer. The other files are encrypted, but non-malicious files that store gathered passwords, email addresses and logged keystrokes.

It then adds a value of random letters and the worm's file name to the local machine registry key that causes the worm to run when the computer starts up.

Tanatos creates four threads. The first of these activates a payload every 30 seconds to stop these processes from running:

Zonealarm.exe

Wfindv32.exe

Webscanx.exe

Vsstat.exe

Vshwin32.exe

Vsecomr.exe

Vscan40.exe

Vettray.exe

Vet95.exe

Tds2-Nt.exe

Tds2-98.exe

Tca.exe

Tbscan.exe

Sweep95.exe

Sphinx.exe

Smc.exe

Serv95.exe

Scrscan.exe

Scanpm.exe

Scan95.exe

Scan32.exe

Safeweb.exe

Rescue.exe

Rav7win.exe

Rav7.exe

Persfw.exe

Pcfwallicon.exe

Pccwin98.exe

Pavw.exe

Pavsched.exe

Pavcl.exe

Padmin.exe

Outpost.exe

Nvc95.exe

Nupgrade.exe

Normist.exe

Nmain.exe

Nisum.exe

Navwnt.exe

Navw32.exe

Navnt.exe

Navlu32.exe

Navapw32.exe

N32scanw.exe

Mpftray.exe

Moolive.exe

Luall.exe

Lookout.exe

Lockdown2000.exe

Jedi.exe

Iomon98.exe

Iface.exe

Icsuppnt.exe

Icsupp95.exe

Icmon.exe

Icloadnt.exe

Icload95.exe

Ibmavsp.exe

Ibmasn.exe

Iamserv.exe

Iamapp.exe

Frw.exe

Fprot.exe

Fp-Win.exe

Findviru.exe

F-Stopw.exe

F-Prot95.exe

F-Prot.exe

F-Agnt95.exe

Espwatch.exe

Esafe.exe

Ecengine.exe

Dvp95_0.exe

Dvp95.exe

Cleaner3.exe

Cleaner.exe

Claw95cf.exe

Claw95.exe

Cfinet32.exe

Cfinet.exe

Cfiaudit.exe

Cfiadmin.exe

Blackice.exe

Blackd.exe

Avwupd32.exe

Avwin95.exe

Avsched32.exe

Avpupd.exe

Avptc32.exe

Avpm.exe

Avpdos32.exe

Avpcc.exe

Avp32.exe

Avp.exe

Avnt.exe

Avkserv.exe

Avgctrl.exe

Ave32.exe

Avconsol.exe

Autodown.exe

Apvxdwin.exe

Anti-Trojan.exe

Ackwin32.exe

_Avpm.exe

_Avpcc.exe

_Avp32.exe

The second thread searches for email addresses in files with the extensions:

.mmf

.nch

.mbx

.eml

.tbb

.dbx

.ocs

The thread looks up the current user's email address and SMTP server from registry key that stores the address in order to prevent itself from infecting the same machine twice. Tanatos then sends itself to all found email addresses. Sometimes the worm constructs an email address from information taken from the computer for the spoofed Sender line.

Tanatos gets its name from the text string found in the original variant, "Project Tanatos". Tanatos may be a reference to the ancient Greek demon of death, Thanatos (original Greek: Θάνατος). In some languages without the "th" sound, this demon's name is spelled Tanatos.

Its more common name, Bugbear, was originally the name of a legendary monster used to frighten disobedient children, similar to a bogeyman. It has been used as a term for scarecrow. The word has also been used for several other things (usually some form of wild creature) that appear in Harry Potter, Dungeons and Dragons and Final Fantasy as well as several other places.

Tanatos initially failed to chart, being beaten out by variants of Klez, Yaha, and a few others (Loveletter was still high on the virus/worm charts at the time). By Halloween (October 31) though, Tanatos had overtaken Klez.H as the most common worm. Klez later overtook Tanatos again in 2003 February.

Tanatos was at first said to have originated in Malaysia according to MessageLabs and the Straits Times. Malaysian authorities said that the first reports of the worm were in fact from Malaysia, but there was no confirmation that the worm was in fact created and released originally in Malaysia.